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1 LISTING OF THE CLAIMS 

2 What is claimed, is: 

3 1. (Currently amended)) A communications monitoring system comprising: 

4 a communications sensor for receiving and monitoring in real time communications packets 

5 flowing at arbitrary points on a network, said communications being any of communications 

6 conducted via a host and communications conducted directly; and 

7 a similarity calculator for calculating formal similarity between two packet streams of similar 

8 duration composed of communications packets entering the sensor upon arrival of the 

9 communications packets, and said sensor employing said formal similarity in detecting an 

10 intrusion. 

11 2. (Original) The communications monitoring system according to Claim 1, wherein the similarity 

12 calculator represents the two packet streams by graphs depicting amounts of data in 

13 communications packets in respective packet streams with respect to elapsed time, and calculates 

14 similarity between the two packet streams based on size of regions enclosed by the two graphs 

15 when the graphs of the packet streams are moved close to each other without intersecting each 

16 other. 
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1 3. (Original) The communications monitoring system according to Claim 1, wherein the 

2 communications sensor sends out a predetermined alert according to a similarity value calculated 

3 by the similarity calculator. 

4 4. (previously presented) A communications monitoring system comprising: 

5 a packet input means for receiving communications packets flowing at arbitrary points on a 

6 network, said communications being any of communications conducted via a host and 

7 communications conducted directly; and 

8 matching means for performing real-time matching between two packet streams composed of 

9 communications packets received by the packet input means and employing said real-time 

10 matching in detecting an intrusion. 

11 5. (Currently amended) The communications monitoring system according to Claim 4, wherein 

12 the matching means determines formal similarity between the two packet streams being similar in 

13 an amount of data and transmission interval of packets irrespective of data content and is 

14 determined based on a time lag between each corresponding pair of communications packets in 

15 the two packet streams. 

16 6. (Original) The communications monitoring system according to Claim 5, further comprising 

17 alerting means for sending out a predetermined alert according to the formal similarity between 

1 8 the two packet streams determined by the matching means. 
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1 7. (Currently amended) A communications monitoring method for monitoring data 

2 communications using a computer, comprising the steps of: 

3 acquiring in real time communications packets in sequence from arbitrary points on a network and 

4 storing them in predetermined storage means together with information about a packet stream to 

5 which the communications packets belong, said communications being any of communications 

6 conducted via a host and communications conducted directly; 

7 on reception of a predetermined communication packet, taking another communications packet 

8 received within a predetermined time before acquiring a predetermined communications packet, 

9 out of the storage means; 

10 determining formal similarity between the first packet stream which contains up to the acquired 

1 1 communications packet and a second packet stream to which the communications packet taken 

12 out of the storage means belong , said second packet stream being of similar duration of said first 

13 packet stream ; and 

14 sending out a predetermined alert according to the determined similarity. 

15 8. (Original) The communications monitoring method according to Claim 7, wherein in the step of 

16 determining the formal similarity of packet streams, the formal similarity between the two packet 
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1 streams is determined based on a time lag between each corresponding pair of communications 

2 packets in the two packet streams. 

3 9. (Original) The communications monitoring method according to Claim 7, further comprising a 

4 step of discarding information used in determining the similarity of second packet streams except 

5 the second packet stream determined to be most similar to the first packet stream. 

6 10. (Currently amended) An information processing method comprising comparing two packet 

7 streams flowing in real time on a network, the step of comparing comprising the steps of: 

8 acquiring communications packets in sequence from arbitrary points on a network and storing 

9 them in predetermined storage means together with information about a packet stream to which 

10 the communications packets belong, said communications packets being in any of communications 

1 1 conducted via a host and communications conducted directly; 

12 on reception of a predetermined communication packet, taking another communications packet 

13 received within a predetermined time before acquiring a predetermined communications packet, 

14 out of the storage means; and 

15 performing matching between the first packet stream which contains up to the acquired 

16 communications packet and a second packet stream to which the communications packet taken 

17 out of the storage means belong , wherein said second packet stream being of similar duration of 

18 said first packet stream . 
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1 11. (Original) The information processing method according to Claim 10, wherein in the step of 

2 performing matching between the packet streams, the first and second packet streams are 

3 represented by graphs which depict increments of sequence numbers of communications packets 

4 in respective packet streams with respect to elapsed time and the similarity between the two 

5 packet streams is calculated based on size of regions enclosed by the two graphs when the graphs 

6 of the packet streams are moved close to each other without intersecting each other. 

7 12. (Original) The information processing method according to Claim 11, wherein in the step of 

8 calculating the similarity between the packet streams, information used in determining the 

9 similarity is discarded according to time-axis lengths of the regions enclosed by the two graphs. 

10 13. (Original) An article of manufacture comprising a computer usable medium having computer 

1 1 readable program code means embodied therein for causing communications monitoring, the 

12 computer readable program code means in said article of manufacture comprising computer 

13 readable program code means for causing a computer to effect the steps of claim 7. 

14 14. (Original) A program storage device readable by machine, tangibly embodying a program of 

15 instructions executable by the machine to perform method steps for communications monitoring, 

16 said method steps comprising the steps of claim 7. 

17 15. (Original) An article of manufacture comprising a computer usable medium having computer 

18 readable program code means embodied therein for causing information processing, the computer 
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1 readable program code means in said article of manufacture comprising computer readable 

2 program code means for causing a computer to effect the steps of claim 10. 

3 16. (Original) A program storage device readable by machine, tangibly embodying a program of 

4 instructions executable by the machine to perform method steps for information processing, said 

5 method steps comprising the steps of claim 10. 

6 17. (Original) A computer program product comprising a computer usable medium having 

7 computer readable program code means embodied therein for causing communications 

8 monitoring, the computer readable program code means in said computer program product 

9 comprising computer readable program code means for causing a computer to effect the functions 

10 of claim 1. 

11 18. (Original) A computer program product comprising a computer usable medium having 

12 computer readable program code means embodied therein for causing communications 

13 monitoring, the computer readable program code means in said computer program product 

14 comprising computer readable program code means for causing a computer to effect the functions 

15 of claim 4. 

16 19. (Currently amended) 2-7 The communications monitoring system according to Claim 1, 

17 wherein the similarity calculator represents the two packet streams by graphs depicting amounts 

18 of data in communications packets in respective packet streams with respect to elapsed time, and 

19 calculates similarity between the two packet streams based on size of regions enclosed by the two 
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1 graphs when the graphs of the packet streams are moved close to each other without intersecting 

2 each other, and 

3 wherein the communications sensor sends out a predetermined alert according to a similarity 

4 value calculated by the similarity calculator, calculator. ( 

5 20. (previously presented) The information processing method according to Claim 10, wherein in 

6 the step of performing matching between the packet streams, the first and second packet streams 

7 are represented by graphs which depict increments of sequence numbers of communications 

8 packets in respective packet streams with respect to elapsed time and the similarity between the 

9 two packet streams is calculated based on size of regions enclosed by the two graphs when the 

10 graphs of the packet streams are moved close to each other without intersecting each other, and 

1 1 wherein in the step of calculating the similarity between the packet streams, information used in 

12 determining the similarity is discarded according to time-axis lengths of the regions enclosed by 

13 the two graphs. 
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